Snowflake Security Detection Restoration: Critical Field Name Standardisation Fixes Query Failures

What Changed

Systematic field name standardisation across Snowflake detection rules, parser, and workbook to align with normalised schema, plus mixed solution maintenance for Tanium, ZeroTrust, and Trend Micro connectors.

Security Impact (Visibility & Fidelity)

Detection Query Failures Eliminated: All 10 Snowflake detection rules were using legacy field names (QUERY_TYPE_s, EXECUTION_STATUS_s, IS_SUCCESS_s) that no longer exist in the normalised parser output. Queries were returning zero results despite active Snowflake logging — this created a complete detection blind spot for database activity monitoring.

Field Mappings Restored:

• Login failure detection now properly references LoginIsSuccess instead of IS_SUCCESS_s
• Query monitoring uses QueryType/QueryText instead of QUERY_TYPE_s/QUERY_TEXT_s
• Performance thresholds reference QueryTotalElapsedTime instead of TOTAL_ELAPSED_TIME_d
• Privilege escalation detection correctly maps QueryExecutionStatus instead of EXECUTION_STATUS_s

Parser Schema Consistency: Parser now properly exposes normalised fields (QueryTotalElapsedTime, QueryCreditsUsedCloudServices, QueryExecutionTime) with correct data types, eliminating type conversion errors in downstream analytics.

Detection Logic

SnowflakeDiscoveryActivity: Monitors SHOW commands with SUCCESS status to detect reconnaissance activity — now properly filters on QueryType and QueryExecutionStatus fields.

SnowflakeMultipleLoginFailure: Tracks failed authentication attempts by monitoring LOGIN events where LoginIsSuccess equals “No” — authentication monitoring was completely broken due to field mismatch.

SnowflakePossibleDataDestruction: Identifies potential data destruction via DROP commands — critical for detecting insider threats and data sabotage attempts.

Affected Files

Solutions/Snowflake/Analytic Rules/SnowflakeDiscoveryActivity.yaml Solutions/Snowflake/Analytic Rules/SnowflakeLongQueryProcessTime.yaml Solutions/Snowflake/Analytic Rules/SnowflakeMultipleFailedQueries.yaml Solutions/Snowflake/Analytic Rules/SnowflakeMultipleLoginFailure.yaml Solutions/Snowflake/Analytic Rules/SnowflakeMultipleLoginFailureFromIP.yaml Solutions/Snowflake/Analytic Rules/SnowflakePossibleDataDestruction.yaml Solutions/Snowflake/Analytic Rules/SnowflakePrivilegesDiscovery.yaml Solutions/Snowflake/Analytic Rules/SnowflakeQueryOnSensitiveTable.yaml Solutions/Snowflake/Analytic Rules/SnowflakeUnusualQuery.yaml Solutions/Snowflake/Analytic Rules/SnowflakeUserAddAdminPrivileges.yaml Solutions/Snowflake/Parsers/Snowflake.yaml Solutions/Snowflake/Workbooks/Snowflake.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, etc.)